diff mbox series

[FFmpeg-devel] avcodec/mvha: Check remaining bits in VLC decode loop

Message ID 20200115232950.24209-1-michael@niedermayer.cc
State Accepted
Headers show
Series [FFmpeg-devel] avcodec/mvha: Check remaining bits in VLC decode loop | expand

Checks

Context Check Description
andriy/ffmpeg-patchwork success Make fate finished

Commit Message

Michael Niedermayer Jan. 15, 2020, 11:29 p.m. UTC 
Fixes: timeout (252sec -> 170msec)
Fixes: 20023/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MVHA_fuzzer-5681192565473280

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavcodec/mvha.c | 2 ++
 1 file changed, 2 insertions(+)

Comments

Michael Niedermayer Feb. 9, 2020, 8:31 p.m. UTC | #1 
On Thu, Jan 16, 2020 at 12:29:50AM +0100, Michael Niedermayer wrote:
> Fixes: timeout (252sec -> 170msec)
> Fixes: 20023/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MVHA_fuzzer-5681192565473280
> 
> Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> ---
>  libavcodec/mvha.c | 2 ++
>  1 file changed, 2 insertions(+)

will apply

[...]
diff mbox series

Patch

diff --git a/libavcodec/mvha.c b/libavcodec/mvha.c
index afe5e511f2..47706e338b 100644
--- a/libavcodec/mvha.c
+++ b/libavcodec/mvha.c
@@ -233,6 +233,8 @@  static int decode_frame(AVCodecContext *avctx,
 
             dst = frame->data[p] + (avctx->height - 1) * frame->linesize[p];
             for (int y = 0; y < avctx->height; y++) {
+                if (get_bits_left(gb) < width)
+                    return AVERROR_INVALIDDATA;
                 for (int x = 0; x < width; x++) {
                     int v = get_vlc2(gb, s->vlc.table, s->vlc.bits, 3);